Health Privacy
At Blue Cross and Blue Shield of Nebraska, maintaining the privacy of your protected health information (also called PHI) is very important to us. This document provides you with important information about how we use and disclose your PHI and how you can access it. PLEASE READ THIS INFORMATION CAREFULLY.
PHI means information about you that is unique to you, including your name, address, telephone number, and Social Security Number. It’s also health information that we have gotten from you or from hospitals, doctors, other health care providers, health insurance companies, your employer and health care information clearinghouses related to:
- your past, present or future physical or mental health or condition;
- the delivery of health care to you; or
- past, present or future payment for health care services you receive.
This Notice of Privacy Practices document describes how Blue Cross and Blue Shield of Nebraska may use and/or disclose your PHI. It also describes the rights you have regarding your PHI. In this notice, “you” refers to you, our customer, and your covered family members. “We” means Blue Cross and Blue Shield of Nebraska.
We are required by federal and state laws to maintain the privacy of your PHI. We are also required to provide you with this notice about our privacy practices, our legal duties, and your rights concerning your PHI. We must follow the privacy practices described in this notice. These privacy practices will remain in effect until we replace or revise them.
We reserve the right to change our privacy practices as described in this document at any time, provided it is permitted by law. We may make changes to our PHI privacy practices, including PHI that we received or created before the change was made. Before we make a significant change in our privacy practices, we will revise this notice and send it to you.
You may have additional privacy rights under state law. State laws that provide greater privacy protection or rights will continue to apply.
You may also request a printed copy of our Notice of Privacy Practices (also available in Spanish Aviso de Prácticas de Privacidad) at any time. For more information about our privacy practices, or for additional copies of this notice, please contact us.
How We Use and Disclose Your PHI
In order to administer our health care plans effectively, we will collect, use and disclose PHI for certain types of activities, including benefit payment and health care operations. The following is a description of how we may use and/or disclose PHI about you for payment and health care operations:
We may use and disclose your PHI for all activities that are included within the HIPAA* Privacy Rule’s definition of “payment.” For example, we may use or disclose your PHI to pay claims from doctors, hospitals, pharmacies and others for services delivered to you that are covered by your health plan, to determine your eligibility for benefits, to coordinate benefits, to examine medical necessity, to obtain premiums, and to issue Explanations of Benefits. We have not listed here all of the activities included within HIPAA’s definition of “payment,” so please refer to the HIPAA Privacy Rule for a complete list. More information about HIPAA and the Privacy Rule may be found here.
We may use and/or disclose your PHI to assist health care providers in connection with their treatment or payment activities, or to assist other covered entities in connection with their payment activities and certain other health care operations. For example, we may disclose your PHI to a health care provider when it is needed to treat you, or we may disclose PHI to another covered entity to conduct health care operations in the areas of quality assurance and improvement activities, or accreditation, certification, licensing or credentialing.
For more information about covered entities, please visit the following links:
If you need help determining if you are interacting with a Covered Entity, please refer to the CMS Covered Entity Decision Tool: Covered Entity Decision Tool.
Disclosures of PHI
The following is a description of disclosures that we are required by law to make:
Your authorization is required for us to use and/or disclose your PHI in any situation not listed in the previous section. We may not use and/or disclose your PHI without your written authorization for any reason except those described in this notice. You may give us a written authorization to use your PHI or to disclose it to anyone you specify. If you give us this authorization, you may revoke it in writing at any time, except to the extent that action has already been taken in reliance upon the authorization.
- If we maintain or receive psychotherapy notes about you, most disclosures of these notes require your authorization.
- To the extent (if any) that we might use or disclose your PHI for our fundraising practices, we will provide you with the ability to opt out of future fundraising communications.
- Most (but not all) uses and disclosures of your PHI for marketing purposes and disclosures that constitute a sale of PHI require your authorization.
You can obtain a copy of our authorization form by contacting us.
Your Rights
You have certain rights related to your PHI.
You have the right to inspect and obtain copies of your PHI that we maintain. This may include an electronic copy in certain circumstances if requested in writing. To request to inspect and copy your PHI, you must complete and sign a form available by contacting us. For the full digital copy with more information regarding your rights to inspect and copy your PHI, view this document. For a Spanish version, view this document.
We may deny your request to inspect and copy your PHI in certain limited circumstances. For more information regarding inspecting and copying your PHI, please read the full digital copy of this form. If you are denied access to your information, you may request that the denial be reviewed. A licensed health care professional chosen by us will review your request and the denial.
You have the right to request that we amend (make changes to) your PHI. Your request must clearly state the information to be amended and the reasons for doing so. All requests must be in writing using a form obtained by calling or writing to us. To request to a copy of this form, please contact us.
We reserve the right to deny your request. In the event your request is denied, a written explanation of the reasons for denial will be provided to you. You may respond to our denial by filing a written statement of disagreement. If we approve your request to amend the information, we will make reasonable efforts to inform others of the amendment and to include the changes in any future disclosures. For the full digital copy with more information regarding your rights to request an amendment of your PHI, please read the digital copy of this document.
You have the right to request that we place additional restrictions on our use and/or disclosure of your PHI for treatment, payment or health care operations. We are not required to agree to any additional restrictions; however, if we do, we will abide by those restrictions (except in emergency situations). To request additional restrictions, you must complete and sign a form available by contacting us.
You are entitled to receive this notice in paper form. To do so, please contact us. For the full digital copy, view Notice of Privacy Practices. For a Spanish version, view Aviso de Prácticas de Privacidad.
What are important things you should consider before authorizing a third-party app to retrieve your health care data?
It is important for you to take an active role in protecting your health information. Knowing what to look for when choosing an app can help you make more informed decisions. You should look for an easy-to-read privacy policy that clearly explains how the app will use your data. If an app does not have a privacy policy, you should not use the app.
You should consider:
- What health data will this app collect? Will this app collect non-health data from my device, such as my location?
- Will my data be stored in a de-identified or anonymized form?
- How will this app use my data?
- Will this app disclose my data to third parties?
- Will this app sell my data for any reason, such as advertising or research?
- Will this app share my data for any reason? If so, with whom? For what purpose?
- How can I limit this app’s use and disclosure of my data?
- What security measures does this app use to protect my data?
- What impact could sharing my data with this app have on others, such as my family members?
- How can I access my data and correct inaccuracies in data retrieved by this app?
- Does this app have a process for collecting and responding to user complaints?
- If I no longer want to use this app, or if I no longer want this app to have access to my health information, how do I terminate the app’s access to my data?
- What is the app’s policy for deleting my data once I terminate access? Do I have to do more than just delete the app from my device?
- How does this app inform users of changes that could affect its privacy practices?
If the app’s privacy policy does not clearly answer these questions, you should reconsider using the app to access your health information. Health information is very sensitive information, and you should be careful to choose apps with strong privacy and security standards to protect it.
What should you consider if you are part of an enrollment group?
You may be part of an enrollment group where you share the same health plan as multiple members of your tax household. Often, the primary policy holder and other members, can access information for all members of an enrollment group unless a specific request is made to restrict access to member data. If you share a tax household but do not want to share an enrollment group, you can enroll individual household members into separate enrollment groups, even while applying for Exchange coverage and financial assistance on the same application; however, this may result in higher premiums for the household and some members, (i.e. dependent minors, may not be able to enroll in all QHPs in a service area if enrolling in their own enrollment group) and in higher total out-of-pocket expenses if each member has to meet a separate annual limitation on cost sharing (i.e., Maximum Out-of-Pocket (MOOP)).
Complaints
If you believe your privacy rights have been violated, you may file a written complaint with us or you may submit a written complaint with the U.S. Department of Health and Human Services. We will not retaliate against you for filing a complaint.
You can receive a copy of our complaint form by contacting us. We will respond to your complaint within 60 days of receipt of the form. All complaints must be in writing using the designated Blue Cross and Blue Shield of Nebraska form.
Oversight responsibilities of the Office for Civil Rights (OCR) and the Federal Trade Commission (FTC)
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces federal civil rights laws, conscience and religious freedom laws, the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule, which together protect your fundamental rights of nondiscrimination, conscience, religious freedom, and health information privacy. OCR protects your rights by:
- Teaching health and social service workers about civil rights laws, conscience and religious freedom laws, health information privacy, and patient safety confidentiality laws.
- Educating communities about civil rights, conscience and religious freedom rights, and health information privacy rights.
- Investigating civil rights, conscience and religious freedom, health information privacy, and patient safety confidentiality complaints to identify discrimination or violation of the law and taking action to correct problems.
The FTC is the only federal agency with both consumer protection and competition jurisdiction in broad sectors of the economy. The FTC pursues vigorous and effective law enforcement; advances consumers’ interests by sharing its expertise with federal and state legislatures and U.S. and international government agencies; develops policy and research tools through hearings, workshops, and conferences; and creates practical and plain-language educational programs for consumers and businesses in a global marketplace with constantly changing technologies. FTC’s work is performed by the Bureaus of Consumer Protection, Competition and Economics. That work is aided by the Office of General Counsel and eight regional offices.
Source: FTC.gov/About-FTCTo learn more about filing a complaint with OCR under HIPAA, visit:
https://www.hhs.gov/hipaa/filing-a-complaint/index.html
Individuals can file a complaint with OCR using the OCR complaint portal:
https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf
Individuals can file a complaint with the FTC using the FTC complaint assistant:
https://reportfraud.ftc.gov/#/